1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

127845 Commits

Author SHA1 Message Date
Isaac Boukris
90febd2a33 s4:mit-kdb: Force canonicalization for looking up principals
See also
ac8865a221

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
2021-11-29 09:32:25 +00:00
Andreas Schneider
8b83758b7c s4:kdc: Remove trailing spaces in db-glue.c
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-29 08:39:37 +00:00
Andreas Schneider
d128a85f99 s4:mit-kdb: Reduce includes to only what's needed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-29 08:39:37 +00:00
Andreas Schneider
28be1acd8e mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-29 08:39:37 +00:00
Andrew Bartlett
3507e96b3d CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
This puts all the detail on one line so it can be searched
by IP address and connecting SID.

This relies on the anr handling as otherwise this log
becomes the expanded query, not the original one.

RN: Provide clear logs of the LDAP search and who made it, including
a warning (at log level 3) for queries that are 1/4 of the hard timeout.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 25 02:30:42 UTC 2021 on sn-devel-184
2021-11-25 02:30:42 +00:00
Andrew Bartlett
5f0590362c CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
RN: Do not modify the caller-supplied memory in the anr=* handling to
allow clear logging of the actual caller request after it has been processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Andrew Bartlett
2b3af3b560 CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Andrew Bartlett
1d5b155619 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
The LDB filter processing is where the time is spent in the LDB stack
but the timeout event will not get run while this is ongoing, so we
must confirm we have not yet timed out manually.

RN: Ensure that the LDB request has not timed out during filter processing
as the LDAP server MaxQueryDuration is otherwise not honoured.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Joseph Sutton
e1ab0c4362 CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Joseph Sutton
86fe9d4888 CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Joseph Sutton
dcfcafdbf7 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
We allow a timeout of 2x over to avoid this being a flapping test.
Samba is not very accurate on the timeout, which is not otherwise an
issue but makes this test fail sometimes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-25 01:41:30 +00:00
Douglas Bagnall
b5e0f33e82 pytest/docs: better spelling of set_smbconf_arbitrary
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Nov 22 11:18:09 UTC 2021 on sn-devel-184
2021-11-22 11:18:09 +00:00
Douglas Bagnall
b674c57a18 pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
also, we fixed the name ("arbitrary", not "arbitary").

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
5bbf105937 pytest/dns_aging: remove duplicate tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
524ca3c6d2 pytest/dns_aging: use correct variable names
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
b5e2651f1c py/dnsserver: add a missing exception variable
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
3c18bb6c77 py/dnsserver: add missing imports
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.com>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
1926335839 third_party/update: forget pep8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Nov 19 13:25:16 UTC 2021 on sn-devel-184
2021-11-19 13:25:16 +00:00
Douglas Bagnall
2c3596e721 pytest/source_chars: forget thirdparty/pep8 test file
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-19 12:35:39 +00:00
Douglas Bagnall
e94e649bbb third_party: remove pep8
This was a *partial* copy of the python linting tool that has been
known as 'pycodestyle' since 2017. I say partial copy, because it does
not seem to contain the pep8 binary itself, just some documentation
and tests. It has not been changed since it was added in 2015.

It is GOOD that people run python linters, but this doesn't help them
in the slightest.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-19 12:35:39 +00:00
Volker Lendecke
cdc0268c19 cmdline: Make -P work in clustered mode
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 17 18:29:09 UTC 2021 on sn-devel-184
2021-11-17 18:29:09 +00:00
Volker Lendecke
63c80f25da cmdline: Add a callback to set the machine account details
source3 clients need to work in clustered mode, the default
cli_credentials_set_machine_account() only looks at the local
secrets.tdb file

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 17:41:30 +00:00
Volker Lendecke
d627052569 lib: Add required includes to source3/include/secrets.h
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 17:41:30 +00:00
Volker Lendecke
9faa317319 selftest: Add reproducer for bug 14908
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 17:41:30 +00:00
Douglas Bagnall
2868b80364 lib/replace/timegm: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 17 05:27:39 UTC 2021 on sn-devel-184
2021-11-17 05:27:39 +00:00
Douglas Bagnall
039f876c4e s4/auth/gensec/gensec_krb5_heimdal: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Douglas Bagnall
6ced906e2b test/blackbox/test_samba-tool_ntacl: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Douglas Bagnall
4c85693f55 s3/modules/vfs_acl_common.h: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Douglas Bagnall
c3194d0d65 test/bad_chars: ensure our tests could fail
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Douglas Bagnall
fccb105e07 pytests: check that we don't have bad format characters
Unicode has format control characters that affect the appearance —
including the apparent order — of other characters. Some of these,
like the bidi controls (for mixing left-to-right scripts with
right-to-left scripts) can be used make text that means one thing look
very much like it means another thing.

The potential for duplicity using these characters has recently been
publicised under the name “Trojan Source”, and CVE-2021-42694. A
specific example, as it affects the Rust language is CVE-2021-42574.

We don't have many format control characters in our code — in fact,
just the non-breaking space (\u200b) and the redundant BOM thing
(\ufeff), and this test aims to ensure we keep it that way.

The test uses a series of allow-lists and deny-lists to check most
text files for unknown format control characters. The filtering is
fairly conservative but not exhaustive. For example, XML and text
files are checked, but UTF-16 files are not.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Jeremy Allison
1c8ea2448e s3: smbd: In SMB1 call_trans2findnext() add and use a helper variable to ensure we don't call mangle_is_mangled() with a posix name.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 16 21:06:38 UTC 2021 on sn-devel-184
2021-11-16 21:06:38 +00:00
Jeremy Allison
761c919045 s3: smbd: In unlink_internals() ensure we never call mangle_is_mangled for a posix path.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
e2c45a0926 s3: smbd: SMB1 reply_copy(). Posix pathnames always means case_sensitive = true.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
e3c40250fb s3: smbd: SMB1 reply_copy(). Posix pathnames should never call into mangle_is_mangled().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
d0d8f32d8f s3: smbd: In SMB1 reply_copy(), make req->posix_pathnames a helper variable.
I need to use it elsewhere in here.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
826ae5c806 s3: smbd: Add and use helper variables for case_sensitive, case_preserve, short_case_preserve to rename_internals().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
395acac7b4 s3: smbd: Ensure we never call mangle_is_mangled() for a posix path.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
23be0565dc s3: smbd: Add and use helper variable posix_pathname in rename_internals().
We're going to re-use it inside this function.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
026b431896 s3: smbd: Add and use helper variables case_sensitive, case_preserve in rename_internals_fsp().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
836d6f8a22 s3: smbd: Add and use case_sensitive helper variable to unlink_internals().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
89d986ec13 s3: smbd: Use a helper variable in smbd_smb2_query_directory_send().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
db6902a3c5 s3: smbd: In open_file() use the helper variable to select correct case_sensitive setting to is_in_path().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
51b582546b s3: smbd: In open_file(), use a helper variable instead of always checking sp->posix_flags & FSP_POSIX_FLAGS_OPEN.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
df8abb5aa7 s3: smbd: Use dptr_case_sensitive() in directory listing code.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
e163f22e81 s3: smbd: Add dptr_case_sensitive(). Not yet used.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
ab1e97f87b s3: smbd: In OpenDir_fsp(), set dir_hnd->case_sensitive to true if FSP_POSIX_FLAGS_OPEN is set.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
ede3a45dfc s3: smbd: Use dir_hnd->case_sensitive instead of conn->case_sensitive.
No logic change.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
af35c684a3 s3: smbd: Add case_sensitive to struct smb_Dir.
Not yet used.

This allows it to be independent of conn settings on
a per-handle-basis for SMB2 posix.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
1b130decc2 s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00
Jeremy Allison
1240f741e6 s3: smbd: Add 'bool case_sensitive' to struct smbd_dirptr_lanman2_state.
Initialize from conn->case_sensitive. Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-16 20:21:37 +00:00